From d1b49362a4ef34990fc431f0ae0adece62f2bab2 Mon Sep 17 00:00:00 2001 From: Natalia Serrano Date: Wed, 18 Dec 2024 14:42:29 +0100 Subject: [PATCH] refs #1309 fix ogGetRegistryValue --- client/lib/engine/bin/RegistryLib.py | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/client/lib/engine/bin/RegistryLib.py b/client/lib/engine/bin/RegistryLib.py index 8b32511..f8dd5d1 100755 --- a/client/lib/engine/bin/RegistryLib.py +++ b/client/lib/engine/bin/RegistryLib.py @@ -184,6 +184,17 @@ def ogGetHivePath(mntpt, hive): return None +## simulate 'grep --after-context 1' +def _grep_A1 (strings, search_term): + results = [] + for i in range (len (strings)): + if search_term in strings[i]: + results.append (strings[i]) + if i + 1 < len(strings): + results.append (strings[i + 1]) + + return results + #/** # ogGetRegistryValue path_mountpoint str_hive str_valuename #@brief Devuelve el dato de un valor del registro de Windows. @@ -212,11 +223,18 @@ def ogGetRegistryValue (mntpt, hive, k): os.remove (f.name) lines = chntpw_out.splitlines() + lines = _grep_A1 (lines, '> Value') if 2 != len (lines): return None + + ret = None if 'REG_BINARY' in lines[0]: - offset, content = lines[1].split (maxsplit=1) - return content + if re.search ('^:[0-9A-F]+ ', lines[1]): + print ('re.match') + ret = lines[1][8:56] + else: + ret = lines[1] + return ret #/**